C-0180 - Ensure that the --event-qps argument is set to 0 or a level which ensures appropriate event capture

Prerequisites

Run Kubescape with host sensor (see here)

Framework

cis-v1.23-t1.0.1, cis-aks-t1.2.0, cis-eks-t1.2.0

Severity

Low

Description of the the issue

It is important to capture all events and not restrict event creation. Events are an important source of security information and analytics that ensure that your environment is consistently monitored using the event data.

Related resources

What does this control test

Security relevant information should be captured. The --event-qps flag on the Kubelet can be used to limit the rate at which events are gathered. Setting this too low could result in relevant events not being logged, however the unlimited setting of 0 could result in a denial of service on the kubelet.

How to check it manually

Run the following command on each node:

ps -ef | grep kubelet

Review the value set for the --event-qps argument and determine whether this has been set to an appropriate level for the cluster. The value of 0 can be used to ensure that all events are captured.

If the --event-qps argument does not exist, check that there is a Kubelet config file specified by --config and review the value in this location.

Remediation

If using a Kubelet config file, edit the file to set eventRecordQPS: to an appropriate level.

If using command line arguments, edit the kubelet service file /etc/systemd/system/kubelet.service.d/10-kubeadm.conf on each worker node and set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable.

Based on your system, restart the kubelet service. For example:

systemctl daemon-reload
systemctl restart kubelet.service

Impact Statement

Setting this parameter to 0 could result in a denial of service condition due to excessive events being created. The cluster's event processing and storage systems should be scaled to handle expected event loads.

Default Value

By default, --event-qps argument is set to 5.

Example

No example